[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring VPN Policy

The vrf-import and vrf-export policy statements that you configure for overlapping VPNs are the same as policy statements for regular VPNs, except that you include the from interface statement in each VRF export policy. This statement forces each VPN to announce only those routes that originated from that VPN. For example, VPN A has routes that originated in VPN A and VPN AB. If you do not include the from interface statement, VPN A announces its own routes as well as VPN AB’s routes, so the remote PE router receives multiple announcements for the same routes. Including the from interface statement restricts each VPN to announcing only the routes it originated and allows you to filter out the routes imported from other routing tables for local connectivity.

In this configuration example, the vpnab-import policy accepts routes from VPN A, VPN B, and VPN AB. The vpna-export policy exports only routes that originate in VPN A. Similarly, the vpnb-export and vpnab-export policies export only routes that originate within the respective VPNs.

On Router PE1, configure the following VPN import and export policies:



[edit]
policy-options {


policy-statement vpna-import {


term a {


from {
protocol bgp;
community VPNA-comm;
}


then accept;
}




term b {
then reject;
}


}




policy-statement vpnb-import {


term a {


from {
protocol bgp;
community VPNB-comm;
}


then accept;
}




term b {
then reject;
}


}




policy-statement vpnab-import {


term a {


from {
protocol bgp;
community [ VPNA-comm VPNB-comm ];
}


then accept;
}




term b {
then reject;
}


}




policy-statement vpna-export {


term a {


from {
protocol static;
interface fe-1/0/0.0;
}




then {
community add VPNA-comm;
accept;
}


}




term b {
then reject;
}


}




policy-statement vpnb-export {


term a {


from {
protocol static;
interface fe-1/0/2.0;
}




then {
community add VPNB-comm;
accept;
}


}




term b {
then reject;
}


}




policy-statement vpnab-export {


term a {


from {
protocol static;
interface fe-1/1/0.0;
}




then {
community add VPNB-comm;
community add VPNA-comm;
accept;
}


}




term b {
then reject;
}


}


community VPNA-comm members target:69:1;
community VPNB-comm members target:69:2;
}

On Router PE1, apply the VPN import and export policies:



[edit]
routing-instances {


VPN-A {
instance-type vrf;
interface fe-1/0/0.0;
route-distinguisher 10.255.14.175:3;
vrf-import vpna-import;
vrf-export vpna-export;


routing-options {


static {
rib-group vpna-vpnab;
route 10.255.14.155/32 next-hop 192.168.197.141;
route 10.255.14.185/32 next-hop 192.168.197.178;
}


}


}




VPN-AB {
instance-type vrf;
interface fe-1/1/0.0;
route-distinguisher 10.255.14.175:9;
vrf-import vpnab-import;
vrf-export vpnab-export;


routing-options {


static {
rib-group vpnab-vpna_and_vpnb;
route 10.255.14.185/32 next-hop 192.168.197.178;
}


}


}




VPN-B {
instance-type vrf;
interface fe-1/0/2.0;
route-distinguisher 10.255.14.175:10;
vrf-import vpnb-import;
vrf-export vpnb-export;


routing-options {


static {
rib-group vpnb-vpnab;
route 10.255.14.186/32 next-hop 192.168.197.242;
}


}


}


}

For VPN A, include the routing-options statement at the [edit routing-instances routing-instance-name] hierarchy level to install the static routes directly into the routing tables defined in the routing table group vpna-vpnab. For VPN AB, the configuration installs the static route directly into the routing tables defined in the routing table group vpnab-vpna and vpnab-vpnb. For VPN B the configuration installs the static route directly into the routing tables defined in the routing table group vpnb-vpnab.

[Contents] [Prev] [Next] [Index] [Report an Error]